我正在为外部方提供的SOAP Web服务构建客户端。 WSDL使用策略断言来指定安全性。这包括使用X509证书,SecureConversationToken和通过HTTPS传输。
如果我注释掉策略的HTTPS部分,我可以从客户端生成请求。但是,当我取消注释这些时,我得到一个异常,说无法检测到安全配置:
Caused by: org.apache.cxf.ws.policy.PolicyException: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a ws-security.signature.properties element within it.
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1851)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java:1748)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doX509TokenSignature(TransportBindingHandler.java:359)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:297)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:252)
at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153)
如果我在抛出异常的地方放置一个断点,我看到它试图满足的断言是X509Token。
政策是:
<wsp:Policy wsu:Id="WSHttpBinding_IFeederService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy />
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
我删除的部分使其在没有HTTPS的情况下“工作”是第一个sp:TransportBinding和第二个sp:TransportToken。
我的配置是:
<jaxws:client name="{http://tempuri.org/}IFeederService" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler.sct">
<bean class="nz.govt.moh.common.security.FixedWSPasswordCallbackHandler">
<property name="password" value="password" />
</bean>
</entry>
<entry key="ws-security.signature.properties.sct" value="spring/eps-test-client-keystore.properties" />
</jaxws:properties>
</jaxws:client>
属性文件定义:
org.apache.ws.security.crypto.merlin.keystore.file
org.apache.ws.security.crypto.merlin.keystore.password
org.apache.ws.security.crypto.merlin.keystore.type
org.apache.ws.security.crypto.merlin.keystore.alias
我也尝试过添加ws-security.callback-handler和ws-security.signature.properties(与sct相同的值)。还尝试添加ws-security.username和ws-security.username.sct。虽然关闭了HTTPS位,但它没有任何这些功能。
当我启用HTTPS时,我添加:
<http:conduit name="{http://tempuri.org/}IFeederService.http-conduit">
<http:tlsClientParameters>
<sec:trustManagers>
<sec:keyStore file="${jetty.eps.ssl.keystore.file}" password="${jetty.eps.ssl.keystore.password}" type="${jetty.eps.ssl.keystore.type}" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
我正在使用带有Java 6的CXF 2.7.7版本。(我尝试升级到3.0.x但遇到了其他问题,但我现在可以再说一遍,因为我对CXF有了更好的了解。)
关于我做错了什么的任何想法?为了使用HTTPS,还需要指定其他内容吗?是否有一个使用securitypolicy,secureconversation和HTTPS的工作示例?
感谢你的帮助,达蒙
答案 0 :(得分:0)
事实证明我使用了错误的名称为jaxws:client。我从wsdl:portType而不是wsdl:port获取了名称的结尾部分。当我在WSDL中注释掉HTTPS位时,即使名称错误,它实际发送了一个请求,但是由于它无法找到安全配置,因此它抱怨了完整的WSDL。